Professional Documents
Culture Documents
6 Sonicos-7-0-0-0-Ipsec - VPN
6 Sonicos-7-0-0-0-Ipsec - VPN
IPSec VPN
Administration Guide
Contents
Advanced 80
Configuring Advanced VPN Settings 81
Configuring IKEv2 Settings 82
Using OCSP with SonicWall Network Security Appliances 83
OpenCA OCSP Responder 84
Loading Certificates to Use with OCSP 84
Using OCSP with VPN Policies 85
AWS VPN 99
Overview 99
Creating a New VPN Connection 99
Reviewing the VPN Connection 100
Configuration on the Firewall 100
Configuration on Amazon Web Services 101
Route Propagation 101
AWS Regions 102
Deleting VPN Connections 102
The VPN options provide the features for configuring and displaying your VPN policies. You can configure
various types of IPsec VPN policies, such as site-to-site policies, including GroupVPN, and route-based
Tunnel Interface policies. For specific details on the setting for these kinds of policies, go to the following
sections:
This section provides information on VPN types, discusses some of the security options you can select, and
describes the interface for the NETWORK | IPSec VPN > Rules and Settings page. Subsequent sections
describe how to configure site to site and route-based VPN, advanced settings, DHCP over VPN and L2TP
servers.
Topics:
l About Virtual Private Networks
l VPN Types
l VPN Security
l VPN Base Settings and Displays
l IPv6 VPN Configuration
l VPN Auto-Added Access Rule Control
A VPN is created by establishing a secure tunnel through the Internet. This tunnel is a virtual point-to-point
connection through the use of dedicated connections, virtual tunneling protocols, or traffic encryption. It is
flexible in that you can change it at any time to add more nodes, change the nodes, or remove them
altogether. VPN is less costly, because it uses the existing Internet infrastructure.
VPN Types
Several types of VPN protocols can be configured for use:
l IPsec VPN
l DHCP over VPN
l L2TP with IPsec
l SSL VPN
IPsec (Internet Protocol Security) is a standards-based security protocol that was initially developed for IPv6,
but it is also widely used with IPv4 and the Layer 2 Tunneling Protocol. Its design meets most security goals
of authentication, integrity, and confidentiality. IPsec uses encryption and encapsulates an IP packet inside
an IPsec packet. De-encapsulation happens at the end of the tunnel, where the original IP packet is
decrypted and forwarded to its intended destination.
An advantage of using IPsec is that security arrangements can be handled without requiring changes to
individual user computers. It provides two types of security service:
l Authentication Header (AH), which essentially allows authentication of the sender of data
l Encapsulating Security Payload (ESP), which supports both authentication of the sender and
encryption of data
You can use IPsec to develop policy-based VPN (site to site) or route-based VPN tunnels or Layer 2
Tunneling Protocol (L2TP).
The firewall at the remote and central sites are configured for VPN tunnels for initial DHCP traffic as well as
subsequent IP traffic between the sites. The firewall at the remote site passes DHCP broadcast packets
through its VPN tunnel. The firewall at the central site relays DHCP packets from the client on the remote
network to the DHCP server on the central site.
When the process is complete, L2TP packets between the endpoints are encapsulated by IPsec. Because
the L2TP packet itself is wrapped and hidden within the IPsec packet, no information about the internal
private network can be garnered from the encrypted packet. Also, UDP port 1701 does not need to be
opened on firewalls between the endpoints, because the inner packets are not acted upon until after IPsec
data has been decrypted and stripped, which only takes place at the endpoints.
SSL VPN
An SSL VPN (Secure Sockets Layer virtual private network) is a form of VPN that can be used with a
standard Web browser. In contrast to the traditional IPsec VPN, an SSL VPN does not require the installation
of specialized client software on the end user's computer. It can be used to give remote users access to Web
applications, client/server applications, and internal network connections.
An SSL VPN consists of one or more VPN devices to which the user connects by using his Web browser. The
traffic between the Web browser and the SSL VPN device is encrypted with the SSL protocol or its
successor, the Transport Layer Security (TLS) protocol. An SSL VPN offers versatility, ease of use and
granular control for a range of users on a variety of computers, accessing resources from many locations.
The two major types of SSL VPNs are:
The SSL Portal VPN allows single SSL connection to a Web site so the end user can securely access
multiple network services. The site is called a portal because it is one door (a single page) that leads to many
other resources. The remote user accesses the SSL VPN gateway using any modern Web browser, identifies
himself or herself to the gateway using an authentication method supported by the gateway and is then
presented with a Web page that acts as the portal to the other services.
The SSL tunnel VPN allows a Web browser to securely access multiple network services, including
applications and protocols that are not Web-based, through a tunnel that is running under SSL. SSL tunnel
VPNs require that the Web browser be able to handle active content, which allows them to provide
functionality that is not accessible to SSL portal VPNs. Examples of active content include Java, JavaScript,
Active X, or Flash applications or plug-ins.
SSL uses a program layer located between the Internet's Hypertext Transfer Protocol (HTTP) and Transport
Control Protocol (TCP) layers. It also uses the public-and-private key encryption system from RSA, which
also includes the use of a digital certificate. An SRA/SMA appliance uses SSL to secure the VPN tunnel. One
advantage of SSL VPN is that SSL is built into most web browsers. No special VPN client software or
hardware is required.
NOTE: SonicWall makes Secure Mobile Access (SMA) appliances you can use in concert with or
independently of a SonicWall network security appliance running SonicOS/X. For information on
SonicWall SMA appliances, refer to https://www.sonicwall.com/products/remote-access/remote-
access-appliances.
Unless you use a manual key (which must be typed identically into each node in the VPN), the exchange of
information to authenticate the members of the VPN and encrypt/decrypt the data uses the Internet Key
Exchange (IKE) protocol for exchanging authentication information (keys) and establishing the VPN tunnel.
SonicOS/X supports two versions of IKE:
IKE version 1 (IKEv1) Uses a two phase process to secure the VPN tunnel. First, the two nodes
authenticate each other and then they negotiate the methods of encryption.
You can find more information about IKEv1 in the three specifications that
initially define IKE: RFC 2407, RFC 2408, and RFC 2409. They are available
on the web at:
IMPORTANT: IKEv2 is not compatible with IKEv1. When using IKEv2, all nodes in the VPN must use
IKEv2 to establish the tunnels.
DHCP over VPN is not supported in IKEv2.
l About IKEv1
l About IKEv2
About IKEv1
In IKEv1, two modes are used to exchange authentication information:
l Main Mode: The node or gateway initiating the VPN queries the node or gateway on the receiving
end, and they exchange authentication methods, public keys, and identity information. This usually
requires six messages back and forth. The order of authentication messages in Main Mode is:
1. The initiator sends a list of cryptographic algorithms the initiator supports.
2. The responder replies with a list of supported cryptographic algorithms.
3. The initiator send a public key (part of a Diffie-Hellman public/private key pair) for the first
mutually supported cryptographic algorithm.
4. The responder replies with the public key for the same cryptographic algorithm.
5. The initiator sends identity information (usually a certificate).
6. The responder replies with identity information.
l Aggressive Mode: To reduce the number of messages exchanged during authentication by half,
the negotiation of which cryptographic algorithm to use is eliminated. The initiator proposes one
algorithm and the responder replies if it supports that algorithm:
1. The initiator proposes a cryptographic algorithm to use and sends its public key.
2. The responder replies with a public key and identity proof.
3. The initiator sends an identification proof. After authenticating, the VPN tunnel is established
with two SAs, one from each node to the other.
About IKEv2
IKE version 2 (IKEv2) is a newer protocol for negotiating and establishing security associations. Secondary
gateways are supported with IKEv2. IKEv2 is the default proposal type for new VPN policies.
IKEv2 is not compatible with IKEv1. When using IKEv2, all nodes in the VPN must use IKEv2 to establish the
tunnels. DHCP over VPN is not supported in IKEv2.
IKEv2 supports IP address allocation and EAP to enable different authentication methods and remote
access scenarios. Using IKEv2 greatly reduces the number of message exchanges needed to establish a
Security Association over IKEv1 Main Mode, while being more secure and flexible than IKEv1 Aggressive
Security Associations (SAs) in IKEv2 are called Child SAs and can be created, modified, and deleted
independently at any time during the life of the VPN tunnel.
MOBIKE operation is transparent and does not require any extra configuration by you or consideration by
users.
l Encryption Secured Payload (ESP), in which the data portion of each packet is encrypted using a
protocol negotiated between the parties.
l Authentication Header (AH), in which the header of each packet contains authentication
information to ensure the information is authenticated and has not been tampered with. No
encryption is used for the data with AH.
SonicOS/X supports the following Encryption methods for traffic through the VPN:
Most of the Suite B components are adopted from the FIPS standard:
l Advanced Encryption Standard (AES) with key sizes of 128 to 256 bits (provides adequate protection
for classified information up to the SECRET level).
l Elliptic Curve Digital Signature Algorithm (ECDSA) digital signatures (provides adequate protection
for classified information up to the SECRET level).
l Elliptic Curve Diffie-Hellman (ECDH) key agreement (provides adequate protection for classified
information up to the SECRET level).
l Secure Hash Algorithm 2 (SHA256, SHA384, SHA512) message digest (provides adequate
protection for classified information up to the TOP SECRET level).
For details on the NETWORK | IPSec VPN > Rules and Settings page, refer to the following:
l Policies
l Active Tunnels
l Settings
NOTE: SonicWall VPN supports both IPv4 and IPv6 (Internet Protocol version 4 and Internet Protocol
version 6). You can toggle between the versions by selecting the one you want in the upper left side of
the window. The default view is for IPv4.
NOTE: You can refresh the active tunnels by using the Refresh option at the top of the Policies and
Active Tunnels tables.
Some statistics about the VPN policies are also summarized below the table, for both site to site and
GroupVPN policies:
NOTE: A VPN Policy cannot have two different WAN interfaces if the VPN Gateway IP is the same.
Active Tunnels
A list of currently active VPN tunnels is displayed in this section.
The Currently Active VPN Tunnels table displays this information for each tunnel:
You can refresh the active tunnels by using the Refresh option at the top of the Policies and Active
Tunnels tables.
Settings
The Settings tab of the NETWORK | IPSec VPN > Rules and Settings page displays the following
information:
Enable VPN Select to enable VPN policies through the SonicWall® security
policies.
Unique Firewall Identifier Identifies this SonicWall appliance when configuring VPN tunnels. The
default value is the serial number of the appliance. You can change
the identifier to something meaningful to you.
There are certain VPN features that are currently not supported for IPv6, including:
NOTE: Because an interface might have multiple IPv6 address, sometimes the local address of the
tunnel might vary periodically. If the user needs a consistent IP address, configure the VPN policy
bound to option as an interface instead of a zone, and specify the address manually. The address must
be one of the IPv6 addresses for that interface.
The maximum number of policies you can add depends on which SonicWall model you have. The larger
models allow more connections.
NOTE: Remote users must be explicitly granted access to network resources. Depending on how you
define access, you can affect the ability of remote clients using GVC to connect to GroupVPN, but you
can also affect remote users using NetExtender and SSL VPN Virtual Office bookmarks to access
network resources. To allow GVC, NetExtender, or Virtual Office users to access a network resource,
the network address objects or groups must be added to the allow list on the VPN Access window. To
access this window, select the DEVICE | Users > Local Users & Groups > Local Users > Add User
> VPN Access.
This section describes site to site policies, including GroupVPN. Other sections describe auto provisioning
and Tunnel Interface policies for route-based VPN. For specific details on the setting for these kinds of
policies, go to the following sections:
Topics:
l Planning Site to Site Configurations
l General VPN Configuration
l Managing GroupVPN Policies
l Creating Site to Site VPN Policies
SonicWall has video clips and knowledge base articles that can help you with some of those decisions.
VIDEO: Informational videos with site to site VPN configuration examples are available online. For
example, see How to Create a Site to Site VPN in Main Mode using Preshared Secret or How to Create
Aggressive Mode Site to Site VPN using Preshared Secret.
Additional videos are available at: https://www.sonicwall.com/support/video-tutorials.
TIP: See the knowledge base articles for information about Site to Site VPNs:
VPN: Types of Site to Site VPN Scenarios and Configurations (SW12884)
Troubleshooting articles of Site to Site VPN (SW7570)
When designing your VPN configurations, be sure to document all pertinent IP addressing information. You
might want to create a network diagram to use as a reference. A few other things to note:
l The firewall must have a routable WAN IP address whether it is dynamic or static.
l In a VPN network with dynamic and static IP addresses, the VPN gateway with the dynamic address
must initiate the VPN connection.
To configure a VPN:
1. Navigate to the NETWORK | IPSec VPN > Rules and Settings page.
2. Make the appropriate version selection either IPv4 or IPv6.
3. Click +Add.
4. Complete the General, Network, Proposals, and Advanced tabs on the VPN Policy dialog. The
following sections provide additional information for each of those tabs.
Topics:
l Configuring Settings on the General Tab
l Configuring Settings on the Network Tab
l Configuring Settings on the Proposals Tab
l Configuring Settings on the Advanced Tab
1. If configuring an IPv4 VPN, select Policy Type from the drop-down menu.
NOTE: The Policy Type field is not available for IPv6.
2. Select the authentication method from the Authentication Method drop-down menu. The
remaining fields in the General tab change depending on which option you select. The following
options are available.
IPv4 IPv6
Manual Key Manual Key
IKE using Preshared Secret (default) IKE using Preshared Secret (default)
IKE using 3rd Party Certificates IKE using 3rd Party Certificates
SonicWall Auto Provisioning Client
SonicWallAuto Provisioning Server
3. Type in a Name for the policy.
4. For IPsec Primary Gateway Name or Address, type in the gateway name or address.
5. For IPsec Secondary Gateway Name or Address, type in the gateway name or address.
6. Under IKE Authentication, provide the required authentication information.
NOTE: When configuring IKE authentication, IPv6 addresses can be used for the local and peer
IKE IDs.
On the Network tab of the VPN policy, select the local and remote networks from the Local Network and
Remote Network options.
For IPv6, the drop-down menus are the only option provided and only address objects that can be used by
IPv6 are listed. Because DHCP is not supported, those options are not available. Also the Any address
option for Local Networks and the Tunnel All option for Remote Networks are removed. An all-zero IPv6
Network address object could be selected for the same functionality and behavior.
For IPv4, additional options are provided. Under Local Networks, you can Choose local network from
list or choose Any address. If Any address is selected, auto-added rules are created between Trusted
Zones and the VPN zone.
For IPv4 under Remote Networks, you can chose one of the following:
l Use this VPN tunnel as default route for all Internet traffic.
l Choose destination network from list. If none are listed you can create a new address object or
address group.
l Use IKEv2 IP Pool. Select this to support IKEv2 Config Payload.
Option IP Version
IPv4 IPv6
Enable Keep Alive Supported Supported
Suppress automatic Access Rules Supported –
creation for VPN Policy
Disable IPsec Anti-Replay Supported Supported
Enable Windows Networking Supported –
(NetBIOS) Broadcast
Enable Multicast Supported –
Display Suite B Compliant Algorithms Supported Supported
Only
Apply NAT Policies Supported –
Using Primary IP Address – Supported
Because an interface might have multiple IPv6 addresses, sometimes the local address of the tunnel might
vary periodically. If a user needs a consistent IP address, select either the Using Primary IP Address or
Specify the local gateway IP address option, or configure the VPN policy to be bound to an interface instead
of a Zone. With Specify the local gateway IP address, specify the address manually. The address must be
one of the IPv6 addresses for that interface.
GroupVPN policies facilitate the set up and deployment of multiple Global VPN Clients by the firewall
administrator. GroupVPN is only available for GVC and you should use XAUTH/RADIUS or third-party
certificates in conjunction with it for added security. For more information on how to create GroupVPN
policies for any zones, navigate to OBJECT | Match Objects > Zones | +Add Zone.
SonicOS/X provides default GroupVPN policies for the WAN zone and the WLAN zone, as these are
generally the less trusted zones. These default GroupVPN policies are listed in the VPN Policies table on
the NETWORK | IPSec VPN > Rules and Settings page and can be customized:
l WAN GroupVPN
l WLAN GroupVPN
NOTE: GroupVPN policies are not automatically created in SonicOS/X with factory default settings.
However, these policies remain unchanged on appliances that are upgraded from an earlier version of
SonicOS/X. For information about Group VPN and Global VPN Client, refer to Types of Group
VPN/Global VPN Client Scenarios and Configurations (SW7411).
Topics:
l Configuring IKE Using a Preshared Secret Key
l Configuring IKE Using 3rd Party Certificates
l Downloading a GroupVPN Client Policy
Advanced Settings
Disable IPsec Anti- Stops packets with duplicate sequence numbers from being dropped.
Replay
Enable Multicast Enables IP multicasting traffic, such as streaming audio (including VoIP)
and video applications, to pass through the VPN tunnel.
Accept Multiple Allows multiple proposals for clients, such as the IKE (Phase 1) Proposal
Proposals for or the IKE (Phase 2) Proposal, to be accepted.
Clients
Enable IKE Mode Allows SonicOS/X to assign internal IP address, DNS Server, or WINS
Configuration Server to third-party clients, like iOS devices or Avaya IP phones.
Management via If using the VPN policy to manage the firewall, select the management
this SA: method, either HTTP, SSH, or HTTPS.
NOTE: SSH is valid for IPv4 only.
Default Gateway Allows you to specify the IP address of the default network route for
incoming IPsec packets for this VPN policy. Incoming packets are
decoded by the firewall and compared to static routes configured in the
firewall. As packets can have any IP address destination, it is impossible
to configure enough static routes to handle the traffic. For packets
received through an IPsec tunnel, the firewall looks up a route. If no
route is found, the security appliance checks for a Default Gateway. If a
Default Gateway is detected, the packet is routed through the gateway.
Otherwise, the packet is dropped.
9. Select any of the following settings you want to apply to your GroupVPN policy.
USER NAME AND PASSWORD CACHING
Cache XAUTH User Allows the Global VPN Client to cache the user name and password:
Name and l If Never is selected, the Global VPN Client is not allowed to cache the
Password on username and password. The user is prompted for a username and
Client password when the connection is enabled and also every time there is
an IKE Phase 1 rekey. This is the default.
l If Single Session is selected, the Global VPN Client user is
prompted for username and password each time the connection is
enabled and is valid until the connection is disabled. The username
and password is used through IKE Phase 1 rekey.
l If Always is selected Global VPN Client user prompted for username
CLIENT CONNECTIONS
Virtual Adapter The use of the Virtual Adapter by the Global VPN Client (GVC) is
Settings dependent upon a DHCP server, either the internal SonicOS/X or a
specified external DHCP server, to allocate addresses to the Virtual
Adapter. In instances where predictable addressing is a requirement,
obtain the MAC address of the Virtual Adapter and to create a DHCP
lease reservation. To reduce the administrative burden of providing
predictable Virtual Adapter addressing, you can configure the
GroupVPN to accept static addressing of the Virtual Adapter's IP
configuration.
This feature requires the use of SonicWall GVC.
Select one of the following:
Choose None if a Virtual Adapter is not used by this GroupVPN
connection. This is the default.
Choose DHCP Lease if the Virtual Adapter obtains its IP configuration
from the DHCP Server only, as configured in the VPN > DHCP over
VPN page.
Choose DHCP Lease or Manual Configuration when the GVC connects
to the firewall, the policy from the firewall instructs the GVC to use a
Virtual Adapter, but the DHCP messages are suppressed if the Virtual
Adapter has been manually configured. The configured value is
recorded by the firewall so it can proxy ARP for the manually assigned
IP address. By design, the Virtual Adapter currently has no limitations
on IP address assignments. Only duplicate static addresses are not
permitted.
Allow Connections Client network traffic that matches the destination networks of each
to gateway is sent through the VPN tunnel of that specific gateway. Select
one of the following:
l This Gateway Only allows a single connection to be enabled at a
time. Traffic that matches the destination networks as specified in
the policy of the gateway is sent through the VPN tunnel. If this
option is selected with Set Default Route as this Gateway, then
the Internet traffic is also sent through the VPN tunnel. If selected
without selecting Set Default Route as this Gateway, then the
Internet traffic is blocked.
l All Secured Gateways allows one or more connections to be
enabled at the same time. Traffic matching the destination networks
of each gateway is sent through the VPN tunnel of that specific
gateway.
If this option is selected along with Set Default Route as this
Gateway, Internet traffic is also sent through the VPN tunnel.
l If this option is selected along without Set Default Route as this
Gateway, the Internet traffic is blocked. Only one of the multiple
3. In the Security Policy section, select IKE using 3rd Party Certificates from the Authentication
Method drop-down menu.
NOTE: The VPN policy name is GroupVPN by default and cannot be changed.
4. Select a certificate for the firewall from the Gateway Certificate drop-down menu.
If you did not download your third-party certificates before starting this procedure, the Gateway
Certificates field shows - No verified third-party certs.
Distinguished Name Based on the certificate’s Subject Distinguished Name field, which is
contained on all certificates by default and is set by the issuing
Certificate Authority.
The format of any Subject Distinguished Name is determined by the
issuing Certificate Authority. Common fields are Country (C=),
Organization (O=), Organizational Unit (OU=), Common Name (CN=),
Locality (L=), and vary with the issuing Certificate Authority. The actual
Subject Distinguished Name field in an X.509 Certificate is a binary
object which must be converted to a string for matching purposes. The
fields are separated by the forward slash character, for example:
/C=US/O=SonicWall, Inc./OU=TechPubs/CN=Joe Pub.
Up to three organizational units can be specified. The usage is
c=*;o=*;ou=*;ou=*;ou=*;cn=*. The final entry does not need to
contain a semi-colon. You must enter at least one entry, for example,
c=us.
E-mail ID E-mail ID and Domain ID are based on the certificate’s Subject
Alternative Name field, which is not contained on all certificates by
Domain ID default. If the certificate does not contain a Subject Alternative Name
field, this filter does not work.
6. Enter the Peer ID filter in the Peer ID Filter field.
The Email ID and Domain Name filters can contain a string or partial string identifying the
acceptable range required. The strings entered are not case sensitive and can contain the wild card
characters * (for more than 1 character) and? (for a single character). For example, when Email ID is
selected, the string *@SonicWall.com allows anyone with an email address that ended in
@SonicWall.com to have access; when Domain Name is selected, the string
*sv.us.SonicWall.com allows anyone with a domain name that ended in sv.us.SonicWall.com
to have access.
7. Select Allow Only Peer Certificates Signed by Gateway Issuer to specify that peer certificates
must be signed by the issuer specified in the Gateway Certificate menu.
12. Select any of the following optional settings that you want to apply to your GroupVPN Policy:
Disable IPsec Anti-Replay Anti-Replay is a form of partial sequence integrity and it detects
arrival of duplicated I datagrams (within a constrained window).
Enable Multicast Enables IP multicasting traffic, such as streaming audio
(including VoIP) and video applications, to pass through the VPN
tunnel.
Accept Multiple Proposal Allows multiple proposals for clients, such as the IKE (Phase 1)
fro Clients Proposal or the IKE (Phase 2) Proposal, to be accepted.
Enable IKE Mode Allows SonicOS/X to assign internal IP address, DNS Server or
Configuration WINS Server to Third-Party Clients like iOS devices or Avaya IP
Phones.
Management via this SA If using the VPN policy to manage the firewall, select one or more
management methods, HTTP, SSH, or HTTPS.
NOTE: SSH is valid for IPv4 only.
Default Gateway Used at a central site in conjunction with a remote site using the
Route all Internet traffic through this SA checkbox. Default
LAN Gateway allows you to specify the IP address of the default
LAN route for incoming IPsec packets for this SA.
Incoming packets are decoded by the firewall and compared to
static routes configured in the firewall. Because packets can have
any IP address destination, it is impossible to configure enough
static routes to handle the traffic. For packets received through
an IPsec tunnel, the firewall looks up a route for the LAN. If no
route is found, the firewall checks for a Default LAN Gateway. If a
Default LAN Gateway is detected, the packet is routed through
the gateway. Otherwise, the packet is dropped.
14. Select any of the following boxes that you want to apply to Global VPN Client provisioning:
Cache XAUTH User Allows the Global VPN Client to cache the user name and password:
Name and l Choose Never to prohibit the Global VPN Client from caching the
Password username and password. The user is prompted for a username and
password when the connection is enabled and also every time there
is an IKE phase 1 rekey.
l Choose Single Session to prompt the user for username and
password each time the connection is enabled, which is valid until
the connection is disabled. This username and password is used
through IKE phase 1 rekey.
l Choose Always to prompt the user for username and password only
once when the connection is enabled. When prompted, the user is
given the option of caching the username and password.
Virtual Adapter The use of the Virtual Adapter by the Global VPN Client (GVC) is
Settings dependent upon a DHCP server, either the internal SonicOS/X or a
specified external DHCP server, to allocate addresses to the Virtual
Adapter.
In instances where predictable addressing is a requirement, obtain the
MAC address of the Virtual Adapter, and to create a DHCP lease
reservation. To reduce the administrative burden of providing
IMPORTANT: The GroupVPN SA (Secure Association) must be enabled on the firewall to download a
configuration file.
rcf format is required for SonicWall Global VPN Clients is the default. Files saved in the rcf
format can be password encrypted. The firewall provides a default file name for the configuration file,
which you can change.
4. Click Yes.
5. In the drop-down menu for Select the client Access Network(s) you wish to export, select VPN
Access Network.
The file can be saved or sent electronically to remote users to configure their Global VPN Clients.
You can create or modify existing site to site VPN policies. To add a policy, click +Add in the VPN Policies
table; to modify an existing policy click the Edit icon for that policy. The following options can be set up when
configuring a site to site VPN:
This section also contains information on how to configure the remote SonicWall firewall and how to
configure a static route to act as a failover in case the VPN tunnel failure.
NOTE: Informational videos with site to site VPN configuration examples are available online. For
example, see How to Create a Site to Site VPN in Main Mode using Preshared Secret or How to Create
Aggressive Mode Site to Site VPN using Preshared Secret.
Additional videos are available at: https://www.sonicwall.com/support/video-tutorials.
Choose local Select a local network from the drop-down menu if a specific network
network from list can access the VPN tunnel.
Any address Use this option if traffic can originate from any local network or if a peer
has Use this VPN tunnel as default route for all Internet traffic
selected. Auto-added rules are created between Trusted Zones and the
VPN Zone.
NOTE: DHCP over VPN is not supported with IKEv2.
14. Under Remote Networks, select one of the following:
Use this VPN Tunnel Select this option if traffic from any local user cannot leave the firewall
as default route for unless it is encrypted.
all Internet traffic NOTE: You can only configure one SA to use this setting.
Destination network Select this option if the remote network requests IP addresses from a
obtains IP DHCP Server in the local network.
addresses using NOTE: This option is only available if Main Mode or Aggressive
DHCP through this Mode is selected on the Proposals tab.
VPN Tunnel
Choose Destination Select a remote network from the drop-down menu.
network from list
Use IKEv2 IP Pool Select this option to support IKEv2 Config Payload.
NOTE: This option is only available if IKEv2 Mode is selected on
the Proposals tab.
16. Under IKE (Phase 1) Proposal, choose one of the following options from the Exchange drop-down
menu:
Main Mode Uses IKEv1 Phase 1 proposals with IPsec Phase 2 proposals. Suite B
cryptography options are available for the DH Group in IKE Phase 1
settings, and for Encryption in the IPsec Phase 2 settings.
Aggressive Mode Generally used when WAN addressing is dynamically assigned. Uses
IKEv1 Phase 1 proposals with IPsec Phase 2 proposals. Suite B
cryptography options are available for the DH Group in IKE Phase 1
settings, and for Encryption in the IPsec Phase 2 settings.
IKEv2 Mode Causes all negotiation to happen through IKEv2 protocols, rather than
using IKEv1 phase 1.
NOTE: If you select IKE v2 Mode, both ends of the VPN tunnel
must use IKE v2. When selected, the DH Group, Encryption, and
Authentication fields are dimmed and cannot be defined.
17. Under IKE (Phase 1) Proposal, set the values for the remaining options. The default values for DH
Group, Encryption, Authentication, and Life Time are acceptable for most VPN configurations.
NOTE: If IKEv2 Mode is selected for the Exchange field, the DH Group, Encryption, and
Authentication fields are dimmed and no selection can be made for those options.
NOTE: Be sure the Phase 1 values on the opposite side of the tunnel are configured to match.
a. For the DH Group, when in Main Mode or Aggressive Mode, you can select from several
Diffie-Hellman exchanges:
19. Select any of the optional settings you want to apply to your VPN policy. The options change
depending on options you selected in the Proposals screen.
10. Define an Incoming SPI and an Outgoing SPI. A Security Parameter Index (SPI) is hexadecimal
and can range from 3 to 8 characters in length.
IMPORTANT: Each Security Association (SA) must have unique SPIs; no two SAs can share the
same SPIs. However, each SA Incoming SPI can be the same as the Outgoing SPI.
11. The default values for Protocol, Encryption, and Authentication are acceptable for most VPN SA
configurations; otherwise, select values from the drop-down menu.
NOTE: The values for Protocol, Encryption, and Authentication must match the values on
the remote firewall.
l If you selected ESP in the Protocol field, then in the Encryption field you can select from six
encryption algorithms that are included in Suite B cryptography:
l DES
l 3DES
l AES-128 (default)
l AES-192
l AES-256
l None
l If you selected AH in the Protocol field, the Encryption field is grayed out, and you cannot
select any options.
12. In the Encryption Key field, enter a 48-character hexadecimal encryption key or use the default
15. Select any of the following optional settings you want to apply to your VPN policy.
Option Definition
Suppress automatic When not selected (default), accompanying Access Rules are
Access Rules creation created automatically. See VPN Auto-Added Access Rule Control
for VPN Policy for more information.
Enable Windows Select to allow access to remote network resources by browsing
Networking (NetBIOS) the Windows Network Neighborhood.
Broadcast
WXA Group Select None (default) or Group One.
Apply NAT Policies Select if you want the firewall to translate traffic going over the
Local network, Remote network, or both networks that are
communicating through the VPN tunnel. When selected, choose a
Translated Local Network or a Translated Remote Network or
one of each from the two drop-down menus.
NOTE: Generally, if NAT is required on a tunnel, either Local
or Remote should be translated, but not both. Apply NAT
Policies is particularly useful in cases where both side of a
tunnel use either the same or overlapping subnets.
With SonicWall firewalls, you can opt to use third-party certificates for authentication instead of the
SonicWall Authentication Service. Using certificates from a third-party provider or using local certificates is a
more manual process; therefore, experience with implementing Public Key Infrastructure (PKI) is necessary
to understand the key components of digital certificates.
l VeriSign
l Entrust
15. In the IKE (Phase 1) Proposal section, select the following settings:
Main Mode Uses IKEv1 Phase 1 proposals with IPsec Phase 2 proposals. Suite B
cryptography options are available for the DH Group in IKE Phase 1
settings, and for Encryption in the IPsec Phase 2 settings.
Aggressive Mode Generally used when WAN addressing is dynamically assigned. Uses
IKEv1 Phase 1 proposals with IPsec Phase 2 proposals. Suite B
cryptography options are available for the DH Group in IKE Phase 1
settings, and for Encryption in the IPsec Phase 2 settings.
IKEv2 Mode Causes all negotiation to happen through IKEv2 protocols, rather than
using IKEv1 phases.
NOTE: If you select IKE v2 Mode, both ends of the VPN tunnel
must use IKE v2. When selected, the DH Group, Encryption, and
Authentication fields are dimmed and cannot be defined.
16. Under IKE (Phase 1) Proposal, set the values for the remaining options. The default values for DH
Group, Encryption, Authentication, and Life Time are acceptable for most VPN configurations.
TIP: If Window Networking (NetBIOS) has been enabled, users can view remote computers in their
Windows Network Neighborhood. Users can also access resources on the remote LAN by entering
servers’ or workstations’ remote IP addresses.
l When a VPN tunnel is active: static routes matching the destination address object of the VPN
tunnel are automatically disabled if the Allow VPN path to take precedence option is enabled. All
traffic is routed over the VPN tunnel to the destination address object.
l When a VPN tunnel goes down: static routes matching the destination address object of the VPN
tunnel are automatically enabled. All traffic to the destination address object is routed over the static
routes.
3. Type a descriptive name for the policy into the Name field.
NOTE: The Hub in a hub-and-spoke site-to-site VPN configuration can be referred to using various
names, such as Server, Hub Gateway, Primary Gateway, Central Gateway. In the context of the VPN
Auto Provisioning feature, the term VPN AP Server is used for the Hub. Similarly, the term VPN AP
Client is used to refer to a Spoke, Client, Remote Gateway, Remote Firewall, or Peer Firewall.
When using SonicWall GVC, a user merely points the GVC at a gateway; security and connection
configuration occur automatically. VPN Auto Provisioning provides a similar solution for provisioning site-to-
site hub-and-spoke configurations, simplifying large scale deployment to a trivial effort.
An added advantage is that after the initial VPN auto-provisioning, policy changes can be controlled at the
central gateway and automatically updated at the spoke end. This solution is especially appealing in
Enterprise and Managed Service deployments where central management is a top priority.
l SonicWall Auto Provisioning Server configuration for the central gateway, or VPN AP Server
l SonicWall Auto Provisioning Client configuration for the remote firewall, or VPN AP Client
Both are configured by adding a VPN policy on the NETWORK | IPSec VPN > Rules and Settings page.
In Server mode, you configure the Security Association (SA), Protected Networks, and other configuration
fields as in a classic site-to-site VPN policy. In Client mode, limited configuration is needed. In most cases
the remote firewall administrator simply needs to configure the IP address to connect to the peer server
(central gateway), and then the VPN can be established.
NOTE: SonicWall does not recommend configuring a single appliance as both an AP Server and an AP
Client at the same time.
VPN Auto Provisioning is simple on the client side while still providing the essential elements of IP security:
Access Network access control is provided by the VPN AP Server. From the VPN AP Client
Control perspective, destination networks are entirely under the control of the VPN AP Server
administrator. However, a mechanism is provided to control access to VPN AP Client
local networks.
Authentication Authentication is provided with machine authentication credentials. In Phase 1 of the
IPsec proposal, the Internet Key Exchange (IKE) protocol provides machine-level
authentication with preshared keys or digital signatures. You can select one of these
authentication methods when configuring the VPN policy.
For the preshared key authentication method, the administrator enters the VPN Auto
Provisioning client ID and the key, or secret. For the digital signatures authentication
method, the administrator selects the X.509 certificate which contains the client ID
from the firewall’s local certificate store. The certificate must have been previously
stored on the firewall.
When policy changes occur at the VPN AP Server that affect a VPN AP Client configuration, the VPN AP
Server uses IKE re-key mechanisms to ensure that a new Security Association with the appropriate
parameters is established.
To allow IKE Phase 1 to be established, the set of possible choices is restricted; the VPN AP Client proposes
multiple transforms (combined security parameters) from which the VPN AP Server can select its configured
values. A Phase 1 transform contains the following parameters:
The VPN AP Server responds by selecting a single transform from those contained in the VPN AP Client
proposal. If the VPN AP Server selects a transform which uses an XAUTH Authentication Method, the VPN
AP Client awaits an XAUTH challenge following Phase 1 completion. If a non-XAUTH transform is chosen,
the provisioning phase begins. The VPN AP Server provisions the VPN AP Client with the appropriate policy
After the Phase 1 SA is established and policy provisioning has completed, the Destination Networks appear
in the VPN Policies section of the NETWORK | IPSec VPN > Rules and Settings page.
NOTE: If the same VPN policy on the AP Server is shared with multiple remote AP Clients, each remote
network must be specifically listed as a unique address object. The individual address objects can be
summarized in an Address Group when added to the Remote Networks section during configuration of
the VPN AP server policy settings on the Network screen. A single address object cannot be used to
summarize multiple remote networks as the SA is built based on the specific address object.
Upon success, the resulting tunnel appears in the Active Tunnels list.
A NAT rule is also added to the POLICY | Rules and Policies > NAT Rules table.
As Phase 2 parameters are provisioned by the VPN AP Server, there is no chance of a configuration
mismatch. If Phase 2 parameters change at the VPN AP Server, all Phase 1 and Phase 2 Security
Associations are deleted and renegotiated, ensuring policy synchronization.
Because of the number of settings being described, the configuration is presented in multiple sections:
10. Select one of the following from the VPN AP Client ID Type drop-down menu:
l Distinguished name (DN)
l E-Mail ID (UserFQDN)
l Domain name (FQDN)
l IP Address (IPV4)
11. In the VPN AP Client ID Filter, type in a matching string or filter to be applied to the Certificate ID
presented during IKE negotiation.
12. Continue to Configuring VPN AP Server Settings on Network.
2. Under IKE (Phase 1) Proposal, enter the phase 1 proposal lifetime in seconds. The default setting
of 28800 forces the tunnel to renegotiate and exchange keys every 8 hours.
2. Select Disable IPsec Anti-Replay to prevent packets with duplicate sequence numbers from being
dropped.
3. Select Enable Multicast to allow IP multicasting traffic, such as streaming audio (including VoIP)
and video applications, to pass from the VPN AP Server over any VPN AP Client SA established using
this policy.
4. If you are using SonicWall WAN Acceleration, select a value from the WXA Group drop-down menu.
5. Optionally select Display Suite B Compliant Algorithms Only.
6. For Management via this SA, select one or more of the checkboxes to allow remote users to
manage the VPN AP Server through the VPN tunnel using HTTPS, SSH, or SNMP.
7. For User login via this SA, select one or more of the checkboxes to allow remote users to log in
through the VPN tunnel using HTTP or HTTPS.
8. In the Default LAN Gateway (optional) field, optionally enter the default LAN gateway IP address
of the VPN AP Server. If a static route cannot be found for certain traffic, the VPN AP Server forwards
the traffic out the configured default LAN gateway.
NOTE: This option might not work in some versions of SonicOS/X.
5. In the Name field, type in a descriptive name for the VPN policy.
6. In the IPsec Primary Gateway Name or Address field, enter the Fully Qualified Domain Name
(FQDN) or the IPv4 address of the VPN AP Server.
7. For Authentication Method, select either:
l Preshared Secret – Uses the VPN Auto Provisioning client ID and shared secret that you
enter next. This option is selected by default. Proceed to Step 8.
With the route-based VPN approach, network topology configuration is removed from the VPN policy
configuration. The VPN policy configuration creates an unnumbered Tunnel Interface between two end
points. Static or dynamic routes can then be added to the Tunnel Interface. The route-based VPN approach
moves network configuration from the VPN policy configuration to static or dynamic route configuration.
Route-based VPN makes configuring and maintaining the VPN policy easier, and provides flexibility on how
traffic is routed. You can define multiple paths for overlapping networks over a clear or redundant VPN.
For auto provisioning of VPN networks, refer to VPN Auto Provisioning for details.
Topics:
l Adding a Tunnel Interface
l Route Entries for Different Network Segments
l Redundant Static Routes for a Network
The Tunnel Interface is created when a Policy of type Tunnel Interface is added for the remote gateway.
The Tunnel Interface must be bound to a physical interface and the IP address of that physical interface is
used as the source address of the tunneled packet.
4. On the General screen, select Tunnel Interface as the Policy Type. The options change.
5. Select one the following for Authentication Method:
l Manual Key
l IKE using Preshared Secret (default)
l IKE using 3rd Party Certificates
l SonicWall Auto Provisioning Client
l SonicWall Auto Provisioning Server
The remaining fields in the General screen change depending on which option you select.
For more information about the available selections, see:
l Configuring with a Manual Key
l Configuring with a Preshared Secret Key
l Configuring with a Third-Party Certificate
l Configuring a VPN AP Client
l Configuring a VPN AP Server
7. Under IKE (Phase 1) Proposal, choose one of the following options from the Exchange drop-down
menu:
Main Mode Uses IKEv1 Phase 1 proposals with IPsec Phase 2 proposals. Suite B
cryptography options are available for the DH Group in IKE Phase 1
settings, and for Encryption in the IPsec Phase 2 settings.
Aggressive Mode Generally used when WAN addressing is dynamically assigned. Uses
IKEv1 Phase 1 proposals with IPsec Phase 2 proposals. Suite B
cryptography options are available for the DH Group in IKE Phase 1
settings, and for Encryption in the IPsec Phase 2 settings.
IKEv2 Mode Causes all negotiation to happen through IKEv2 protocols, rather than
using IKEv1 phases.
NOTE: If you select IKE v2 Mode, both ends of the VPN tunnel
must use IKE v2. When selected, the DH Group, Encryption, and
Authentication fields are disabled and cannot be defined.
8. Under IKE (Phase 1) Proposal, set the values for the remaining options. The default values for DH
Group, Encryption, Authentication, and Life Time are acceptable for most VPN configurations.
NOTE: Be sure the Phase 1 values on the opposite side of the tunnel are configured to match.
a. For the DH Group, when in Main Mode or Aggressive Mode, you can select from several
Diffie-Hellman exchanges:
11. The following advanced options can be configured; by default, none are selected:
ADVANCED SETTINGS
IKEV2 SETTINGS
Advanced
The NETWORK | IPSec VPN > Advanced page has two sections:
Topics:
l Configuring Advanced VPN Settings
l Configuring IKEv2 Settings
l Enable IKE Dead Peer Detection - Select if you want inactive VPN tunnels to be dropped by the
firewall.
l Dead Peer Detection Interval - Enter the number of seconds between “heartbeats.” The
default value is 60 seconds.
l Failure Trigger Level (missed heartbeats) - Enter the number of missed heartbeats. The
default value is 3. If the trigger level is reached, the VPN connection is dropped by the firewall.
The firewall uses a UDP packet protected by Phase 1 Encryption as the heartbeat.
l Enable Dead Peer Detection for Idle VPN Sessions - Select this setting if you want idle
VPN connections to be dropped by the firewall after the time value defined in the Dead Peer
Detection Interval for Idle VPN Sessions (seconds) field. The default value is 600
seconds (10 minutes).
l Enable Fragmented Packet Handling - If the VPN log report shows the log message Fragmented
IPsec packet dropped, select this feature. Do not select it until the VPN tunnel is established and
in operation.
l Ignore DF (Don't Fragment) Bit - Select this checkbox to ignore the DF bit in the packet
header. Some applications can explicitly set the ‘Don’t Fragment’ option in a packet, which
tells all security appliances to not fragment the packet. This option, when enabled, causes the
firewall to ignore the option and fragment the packet regardless.
l Enable NAT Traversal - Select this setting if a NAT device is located between your VPN endpoints.
IPsec VPNs protect traffic exchanged between authenticated endpoints, but authenticated endpoints
cannot be dynamically re-mapped mid-session for NAT traversal to work. Therefore, to preserve a
dynamic NAT binding for the life of an IPsec session, a 1-byte UDP is designated as a “NAT Traversal
keepalive” and acts as a “heartbeat” sent by the VPN device behind the NAT or NAPT device. The
“keepalive” is silently discarded by the IPsec peer.
l Clean up Active Tunnels when Peer Gateway DNS name resolves to a different IP address -
Breaks down SAs associated with old IP addresses and reconnects to the peer gateway.
l Enable OCSP Checking and OCSP Responder URL - Enables use of Online Certificate Status
Protocol (OCSP) to check VPN certificate status and specifies the URL where to check certificate
status. See Using OCSP with SonicWall Network Security Appliances.
l Send VPN Tunnel Traps only when tunnel status changes - Reduces the number of VPN tunnel
traps that are sent by only sending traps when the tunnel status changes.
l Use RADIUS in - The primary reason for choosing this option is so that VPN client users can
make use of the MSCHAP feature to allow them to change expired passwords at login time.
When using RADUIS to authenticate VPN client users, select whether RADIUS is used in one
of these modes:
l MSCHAP
l MSCHAPv2 mode for XAUTH (allows users to change expired passwords)
l DNS Servers – Select whether to specify the DNS servers dynamically or manually:
l Inherit DNS Settings Dynamically from the SonicWall’s DNS settings – The
SonicWall appliance obtains the DNS server IP addresses automatically.
l Specify Manually – Enter up to three DNS server IP addresses in the DNS Server 1/3
fields.
l WINS Servers – Enter up to two WINS server IP address in the WINS Server 1/2 fields.
l Send IKEv2 Cookie Notify – Sends cookies to IKEv2 peers as an authentication tool.
l Send IKEv2 Invalid SPI Notify – Sends an invalid Security Parameter Index (SPI) notification to
IKEv2 peers when an active IKE security association (SA) exists. This option is selected by default.
l IKEv2 Dynamic Client Proposal – SonicOS/X provides IKEv2 Dynamic Client Support, which
provides a way to configure the Internet Key Exchange (IKE) attributes rather than using the default
settings.
Clicking Configure launches the Configure IKEv2 Dynamic Client Proposal dialog.
The main disadvantage of Certificate Revocation Lists is the need for frequent updates to keep the CRL of
every client current. These frequent updates greatly increase network traffic when the complete CRL is
downloaded by every client. Depending on the frequency of the CRL updates, a period of time can exist
when a certificate is revoked by the CRL but the client has not received the CRL update and permits the
certificate to be used.
Online Certificate Status Protocol determines the current status of a digital certificate without using a CRL.
OCSP enables the client or application to directly determine the status of an identified digital certificate.
This provides more timely information about the certificate than is possible with CRLs. In addition, each
client typically only checks a few certificates and does not incur the overhead of downloading an entire CRL
for only a few entries. This greatly reduces the network traffic associated with certificate validation.
The OCSP client communicates with an OCSP responder. The OCSP responder can be a CA server or
another server that communicates with the CA server to determine the certificate status. The OCSP client
issues a status request to an OCSP responder and suspends the acceptance of the certificate until the
responder provides a response. The client request includes data such as protocol version, service request,
target certificate identification and optional extensions. These optional extensions might or might not be
acknowledged by the OCSP responder.
The OCSP responder receives the request from the client and checks that the message is properly formed
and if the responder is able to respond to the service request. Then it checks if the request contains the
correct information needed for the service desired. If all conditions are satisfied, the responder returns a
definitive response to the OCSP client. The OCSP responder is required to provide a basic response of
GOOD, REVOKED, or UNKNOWN. If both the OCSP client and responder support the optional extensions,
other responses are possible. The GOOD state is the desired response as it indicates the certificate has not
been revoked. The REVOKED state indicates that the certificate has been revoked. The UNKNOWN state
indicates the responder does not have information about the certificate in question.
OCSP servers typically work with a CA server in push or pull setup. The CA server can be configured to push
a CRL list (revocation list) to the OCSP server. Additionally the OCSP server can be configured to
periodically download (pull) the CRL from the CA server. The OCSP server must also be configured with an
OCSP response signing certificate issued by the CA server. The signing certificate must be properly
formatted or the OCSP client cannot accept the response from the OSCP server.
To configure OCSP checking for individual VPN policies, use the Advanced tab of the VPN
Policy configuration page:
1. Select Enable OCSP Checking.
2. Specify the OCSP Responder URL of the OCSP server, for example http://192.168.168.220:2560
where 192.168.168.220 is the IP address of your OCSP server and 2560 is the default port of
operation for the OpenCA OCSP responder service.
Topics:
l DHCP Relay Mode
l Configuring the Central Gateway for DHCP Over VPN
l Configuring DHCP over VPN Remote Gateway
l Current DHCP over VPN Leases
3. On the General screen, the VPN policy name is automatically displayed in the Relay DHCP
through this VPN Tunnel field if the VPN policy has the setting Local network obtains IP
addresses using DHCP through this VPN Tunnel enabled.
NOTE: Only VPN policies using IKE can be used as VPN tunnels for DHCP. The VPN tunnel
must use IKE and the local network must be set appropriately. The local network obtains IP
addresses using DHCP through this VPN Tunnel.
4. Select the interface the DHCP lease is bound from the DHCP lease bound to menu.
5. If you enter an IP address in the Relay IP Address field, this IP address is used as the DHCP Relay
Agent IP address (giaddr) in place of the Central Gateway’s address and must be reserved in the
DHCP scope on the DHCP server. This address can also be used to manage this firewall remotely
through the VPN tunnel from behind the Central Gateway.
NOTE: The Relay IP address and Remote Management IP Address fields cannot be zero if
management through the tunnel is required.
6. If you enter an IP address in the Remote Management IP Address field, this IP address is used to
manage the firewall from behind the Central Gateway, and must be reserved in the DHCP scope on
the DHCP server.
7. If you enable Block traffic through tunnel when IP spoof detected, the firewall blocks any traffic
across the VPN tunnel that is spoofing an authenticated user’s IP address. If you have any static
devices, however, you must ensure that the correct Ethernet address is typed for the device. The
Ethernet address is used as part of the identification process, and an incorrect Ethernet address can
cause the firewall to respond to IP spoofs.
11. To configure Static Devices on the LAN, click +Add to display the Add LAN Devices Entry
dialog.
12. Type the IP address of the device in the IP Address field and then type the Ethernet address of the
device in the Ethernet Address field.
An example of a static device is a printer as it cannot obtain an IP lease dynamically. If you do not
have Block traffic through tunnel when IP spoof detected enabled, it is not necessary to type
the Ethernet address of a device. You must exclude the Static IP addresses from the pool of available
IP addresses on the DHCP server so that the DHCP server does not assign these addresses to DHCP
clients. You should also exclude the IP address used as the Relay IP Address. It is recommended to
reserve a block of IP address to use as Relay IP addresses.
13. Click OK.
14. To exclude devices on your LAN, click +Add to display the Add Excluded LAN Entry dialog.
15. Enter the MAC address of the device in the Ethernet Address field.
16. Click OK.
17. Click OK to exit the DHCP over VPN Configuration dialog.
NOTE: If a remote site has trouble connecting to a central gateway and obtaining a lease, verify that
Deterministic Network Enhancer (DNE) is not enabled on the remote computer.
TIP: If a static LAN IP address is outside of the DHCP scope, routing is possible to this IP, that is, two
LANs.
NOTE: Wireless clients are assigned an IP address in this subnet. The IP address and a DHCP server
are automatically created and assign DHCP addresses.
You can use Layer 2 Tunneling Protocol (L2TP) to create a VPN over public networks. L2TP provides
interoperability between different VPN vendors that protocols such as PPTP and L2F do not, although L2TP
combines the best of both protocols and is an extension of them.
L2TP supports several of the authentication options supported by PPP, including Password Authentication
Protocol (PAP), Challenge Handshake Authentication Protocol (CHAP), and Microsoft Challenge Handshake
Authentication Protocol (MS-CHAP). You can use L2TP to authenticate the endpoints of a VPN tunnel to
provide additional security, and you can implement it with IPsec to provide a secure, encrypted VPN
solution.
Topics:
l Configuring the L2TP Server
l Viewing Currently Active L2TP Sessions
l Configuring Microsoft Windows L2TP VPN Client Access
l Configuring Google Android L2TP VPN Client Access
NOTE: For more complete information on configuring the L2TP Server, see the technote Configuring
the L2TP Server on SonicOS/X located on the SonicWall support site:
https://www.sonicwall.com/support.
11. Select an authentication protocol and click +Add to add it. You can also remove authentication
protocols or rearrange the order of authentication.
12. Click OK.
User Name The user name assigned in the local user database or the RADIUS user database.
Interface The interface used to access the L2TP Server, whether it is a VPN client or another
firewall.
Authentication Type of authentication used by the L2TP client.
Host Name The name of the L2TP client connecting to the L2TP Server.
NOTE: SonicOS/X supports only X.509 certificates for L2TP clients; PKCS #7 encoded X.509
certificates are not supported in SonicOS/X for L2TP connections.
To enable Microsoft L2TP VPN Client access to the WAN GroupVPN SA:
1. Navigate to the NETWORK | VPN > Rules and Settings page.
2. For the WAN GroupVPN policy, click the Edit icon in the Configure column.
3. On the General screen, select IKE using Preshared Secret for the Authentication Method.
4. Enter a shared secret passphrase in the Shared Secret field to complete the client policy
configuration.
5. Click Save.
6. Navigate to the NETWORK | IPSec VPN > L2TP Server page.
7. In the L2TP Server section, select Enable L2TP Server.
8. Click Configure.
9. Provide the following L2TP Server Settings:
l Keep alive time (secs): 60
l DNS Server 1: 199.2.252.10 (or use your ISP’s DNS)
l DNS Server 2: 4.2.2.2 (or use your ISP’s DNS)
l DNS Server 3: 0.0.0.0 (or use your ISP’s DNS)
l WINS Server 1: 0.0.0.0 (or use your WINS IP)
l WINS Server 2: 0.0.0.0 (or use your WINS IP)
10. Click L2TP Users Settings.
11. Set the following options:
l IP address provided by RADIUS/LDAP Server if a RADIUS/LDAP Server provides IP
addressing information to the L2TP clients. If the L2TP Server provides IP addresses, select
Use the Local L2TP IP pool.
l Use the Local L2TP IP pool: Enabled (selected; the default)
l Start IP: 10.20.0.1 (use your own IP)
l End IP: 10.20.0.20 (use your own IP)
12. Select Trusted Users from the User group for L2TP users drop-down menu.
13. Click Save.
14. Navigate to the DEVICE | Users > Local Users & Groups page.
15. Click Local Users.
16. Click +Add User to display the User Settings dialog.
To enable Google Android L2TP VPN Client access to WAN GroupVPN SA, perform the
following steps:
1. Navigate to the NETWORK | IPSec VPN > Rules and Settings page.
2. For the WAN GroupVPN policy, click the Edit icon.
3. Select IKE using Preshared Secret (default) from the Authentication Method drop-down menu.
4. Enter a shared secret passphrase in the Shared Secret field to complete the client policy
configuration.
5. Click Proposals.
6. Provide the following settings for IKE (Phase 1) Proposal:
l DH Group: Group 2
l Encryption: 3DES
l Authentication: SHA1
l Life Time (seconds): 28800
7. Provide the following settings for IPsec (Phase 2) Proposal:
l Protocol: ESP
l Encryption: DES
l Authentication: SHA1
l Enable Perfect Forward Secrecy: Enabled
l Life Time (seconds): 28800
8. Click Advanced.
9. Set the following options:
l Enable Multicast: Disabled
l Management via this SA: Disable all
l Default Gateway: 0.0.0.0
l Require authentication of VPN clients by XAUTH: Enabled
l User group for XAUTH users: Trusted Users
10. Click Client.
AWS VPN
The AWS VPN page makes it easy to create VPN connection from the SonicWall firewall to Virtual Private
Clouds (VPCs) on Amazon Web Services (AWS). For more information about Amazon Virtual Private Cloud,
refer to https://aws.amazon.com/vpc/.
IMPORTANT: Before setting up AWS VPN, be sure to configure the firewall with the AWS credentials
that it needs to use. Navigate to NETWORK | System > AWS Configuration to do this. In addition,
click Test Configuration to validate the settings before proceeding.
Topics:
l Overview
l Creating a New VPN Connection
l Reviewing the VPN Connection
l Route Propagation
l AWS Regions
l Deleting VPN Connections
Overview
To get to AWS VPN, navigate to NETWORK | IPSec VPN > AWS VPN. The AWS VPN page is dominated
by a table showing the VPCs in the AWS regions of interest. Each row in the table can be expanded to show
the subnets, organized by route table, for the VPC. Other columns in the table show status information, and
the buttons can be used to create and delete VPN connections to the corresponding VPC.
The table on the firewall's AWS VPN page reflects the VPC information that is available on the AWS Console
under the VPC Dashboard.
The New VPN Connection window appears. Provide the public IP address of the firewall as seen from
AWS. Code running on AWS attempts to detect the address and prepopulate the text input field. Verify that
the address is reachable from outside the local network. If the firewall is behind a router or some other proxy,
NOTE: In some circumstances, you might be asked whether to enable Route Propagation. Refer to
Route Propagation for more information.
The IP address you entered is used as the Customer Gateway. Click OK to close the dialog and initiate a
series of processes that configure both the firewall and AWS in order to establish a VPN Connection
between them.
Messages appear in the table row for the VPC that is the subject of the new VPN Connection, keeping you
informed of the progress at the different stages.
If an error occurs at any stage, a message appears with details of the problem and all the changes that have
been made are reversed. This should allow you to correct any issues and try again.
On the firewall, navigate to NETWORK | IPSec VPN > AWS VPN. Find the row in the VPC table
corresponding to the AWS VPC in question and click Information.
NOTE: Because the VPN connection has only just been created, the status is reported as still pending.
Use Refresh on the AWS VPN page to reload the data in the table and on the associated VPN
Connection Details window.
The following sections describe the configuration on the firewall and on AWS.
Two VPN policies are also created, showing that AWS uses two VPNs per VPN connection to provide
redundancy for a failover mechanism. Navigate to NETWORK | IPSec VPN > Rules and Settings. The
VPN policy names used on the firewall are based on the AWS ID for the connection along with a suffix to
differentiate between the two policies.
Matching the two VPN policies, two tunnel interfaces are created. Navigate to NETWORK | System >
Interfaces. They also use a naming convention based on the ID of the VPN Connection.
Similarly, two route policies are created, both using the Address Object representing the VPC as their
destination. Navigate to NETWORK | System > Dynamic Routing. Each one uses a different tunnel
interface.
The customer gateway, the endpoint at the firewall, and the IP address specified when first creating the VPN
connection can also be viewed on the AWS Console. Navigate to the Customer Gateways page, under the
VPC Dashboard.
Route Propagation
Additional steps need to be taken to ensure connections can be made to and from resources on subnets
within a particular VPC. You must also propagate the connections to the route table that is used for the
subnet of interest. Three ways can be used to enable propagation to the route tables in a VPC.
The region selection control is initialized with the default region as specified on the AWS configuration and is
used to send firewall logs to AWS CloudWatch Logs on the AWS Logs page. Regardless of the initial
selection, you can choose which regions from which to show the associated VPCs in the table.
For VPCs that have a corresponding VPN Connection, the button in the related table row in the VPC table
changes from a Create VPN Connection function to Delete VPN Connection. After clicking the button,
the system asks for confirmation and then initiates a process that deletes as many configuration settings as
it safe to do without affecting other VPN connections from this or other firewalls. It removes the associated
VPN and route policies, and the tunnel interfaces on the firewall. On AWS, it removes the Customer
Gateway, but only if it is not being used elsewhere (perhaps on other VPN Connections from the same
firewall but to other VPCs). It does not delete the VPN gateway or change the route propagation settings.
SonicWall Support
Technical support is available to customers who have purchased SonicWall products with a valid
maintenance contract.
The Support Portal provides self-help tools you can use to solve problems quickly and independently, 24
hours a day, 365 days a year. To access the Support Portal, go to https://www.sonicwall.com/support.
WARNING: A WARNING icon indicates a potential for property damage, personal injury, or
death.
The information in this document is provided in connection with SonicWall and/or its affiliates’ products. No license, express or
implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of
products. EXCEPT AS SET FORTH IN THE TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR
THIS PRODUCT, SONICWALL AND/OR ITS AFFILIATES ASSUME NO LIABILITY WHATSOEVER AND DISCLAIMS ANY
EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO,
THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT.
IN NO EVENT SHALL SONICWALL AND/OR ITS AFFILIATES BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL,
PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF
PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE
THIS DOCUMENT, EVEN IF SONICWALL AND/OR ITS AFFILIATES HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES. SonicWall and/or its affiliates make no representations or warranties with respect to the accuracy or completeness of
the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without
notice. and/or its affiliates do not make any commitment to update the information contained in this document.